Re: Problem with firewalld/iptables and ftp access list?

Michael D. Setzer II Mon, 03 Oct 2016 00:35:32 -0700

Cleaned up the firewall-config extra port options, and tried it on another
machine as well. Did note that after a reboot, it shows nf_conntract_ftp as
being loaded, but not being used by anything. If I stop firewalld and start
iptables it then shows that it is being used??


firewall-config
services checked?
dhcpv6-client
ftp
mdns
ssh
vnc-server

ports
5979 tcp (used for vnc)
9000 tcp (used by udpcast)
9000 udp
9001 tcp
9001 udp

lsmod | grep nf

nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
nf_conntrack_ftp       16384  0
nf_reject_ipv6         16384  1 ip6t_REJECT
nf_conntrack_ipv6      20480  15
nf_defrag_ipv6         36864  1 nf_conntrack_ipv6
nf_nat_ipv6            16384  1 ip6table_nat
nf_conntrack_ipv4      16384  15
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                 28672  3 nf_nat_ipv4,nf_nat_ipv6,nf_nat_masquerade_ipv4
nf_conntrack          102400  8
nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_nat_masquerade_ipv4,nf_co
nntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6
nfnetlink              16384  1 ip_set
binfmt_misc            20480  1
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor
preset: enabled)
   Active: active (running) since Mon 2016-10-03 16:46:13 ChST; 3min 45s
ago
     Docs: man:firewalld(1)
 Main PID: 5198 (firewalld)
    Tasks: 3 (limit: 512)
   CGroup: /system.slice/firewalld.service
           └─5198 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--destination 192.168.122.0/24 --out-interface virbr0 --match conntrack
--ctstate ESTABLISHED,RELATED --jump ACCEPT' failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--out-interface virbr0 --jump REJECT' failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--in-interface virbr0 --jump REJECT' failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT'
failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT'
failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete OUTPUT
--out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT'
failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT'
failed:
Oct 03 16:46:14 d7aa.guamcc.net /firewalld[5198]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT'
failed:
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor
preset: disabled)
   Active: inactive (dead) since Mon 2016-10-03 16:40:51 ChST; 9min ago
  Process: 4717 ExecStop=/usr/libexec/iptables/iptables.init stop
(code=exited, status=0/SUCCESS)
  Process: 3640 ExecStart=/usr/libexec/iptables/iptables.init start
(code=exited, status=0/SUCCESS)
 Main PID: 3640 (code=exited, status=0/SUCCESS)

Oct 02 21:33:20 d7aa.guamcc.net systemd[1]: Starting IPv4 firewall with
iptables...
Oct 02 21:33:20 d7aa.guamcc.net iptables.init[3640]: iptables: Applying
firewall rules: [  OK  ]
Oct 02 21:33:20 d7aa.guamcc.net iptables.init[3640]: iptables: Loading
additional modules: ip_nat_ftp [  OK  ]
Oct 02 21:33:20 d7aa.guamcc.net systemd[1]: Started IPv4 firewall with
iptables.
Oct 03 16:40:50 d7aa.guamcc.net systemd[1]: Stopping IPv4 firewall with
iptables...
Oct 03 16:40:51 d7aa.guamcc.net iptables.init[4717]: iptables: Setting chains
to policy ACCEPT: security mangle raw nat filter [FAILED]
Oct 03 16:40:51 d7aa.guamcc.net iptables.init[4717]: iptables: Flushing
firewall rules: [  OK  ]
Oct 03 16:40:51 d7aa.guamcc.net iptables.init[4717]: iptables: Unloading
modules: [  OK  ]
Oct 03 16:40:51 d7aa.guamcc.net systemd[1]: Stopped IPv4 firewall with
iptables.

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Problem with firewalld/iptables and ftp access list?

Reply via email to